Scribd
Upload
206 views

List ! - List - List ! - List

The document provides configuration details for setting up and optimizing an Unbound DNS resolver. It includes instructions for installing Unbound, configuring zones and caching, enabling forwarding, and setting up logging and controls. Statistics are also shown for the Unbound instance demonstrating good performance.

Uploaded by

James Bold
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
206 views

List ! - List - List ! - List

The document provides configuration details for setting up and optimizing an Unbound DNS resolver. It includes instructions for installing Unbound, configuring zones and caching, enabling forwarding, and setting up logging and controls. Statistics are also shown for the Unbound instance demonstrating good performance.

Uploaded by

James Bold
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

UNBOUND /ip firewall nat add action=masquerade chain=srcnat comment="MASQUERADE MIKROTIK" disabled=no outinterface=Public add action=dst-nat chain=dstnat comment="DNS

UNBOUND" disabled=no dst-port=53 ininterface=Local protocol=udp to-addresses=192.168.3.254 to-ports=53 add action=dst-nat chain=dstnat comment="TRANSPARENT PROXY" disabled=no dst-addresslist=!ProxyNET dst-port=80,8080,3128 in-interface=Local protocol=tcp to-addresses=192.168.3.254 toports=3128
/ip fi nat add action=dst-nat chain=dstnat comment="Transfarent DNS" disabled=no dstaddress-list=!Proxy dst-port=53 protocol=udp src-address-list=Far_net to-addresses=192.168.2.2 to-ports=53 add action=dst-nat chain=dstnat comment="" disabled=no dst-addresslist=!Proxy dst-port=53 protocol=tcp src-address-list=Far_net to-addresses=192.168.2.2 to-ports=53

cd /usr/ports/dns/unbound make config (centang Libevent & Thread) make install clean cd /usr/local/etc/unbound fetch ftp://FTP.INTERNIC.NET/domain/named.cache unbound-control-setup chown unbound:wheel unbound_* chmod 440 unbound_* mkdir /usr/local/etc/unbound/dev echo "devfs /usr/local/etc/unbound/dev devfs rw 0 0" >> /etc/fstab echo 'unbound_enable="YES"' >> /etc/rc.conf echo 'devfs_set_rulesets="/usr/local/etc/unbound/dev=unbound_ruleset"' >> /etc/rc.conf

verbosity: 5 statistics-interval: 120 num-threads: 2 interface: 0.0.0.0 outgoing-range: 512 num-queries-per-thread: 1024 msg-cache-size: 16m rrset-cache-size: 32m

msg-cache-slabs: 4 rrset-cache-slabs: 4 cache-max-ttl: 86400 infra-host-ttl: 60 infra-lame-ttl: 120 infra-cache-numhosts: 10000 infra-cache-lame-size: 10k do-ip4: yes do-ip6: no do-udp: yes do-tcp: yes do-daemonize: yes access-control: 0.0.0.0/0 allow access-control: 127.0.0.0/8 allow chroot: "/usr/local/etc/unbound" username: "unbound" directory: "/usr/local/etc/unbound" #logfile: "/usr/local/etc/unbound/unbound.log" #use-syslog: yes logfile: "" use-syslog: no pidfile: "/usr/local/etc/unbound/unbound.pid" root-hints: "/usr/local/etc/unbound/named.cache" identity: "DNS" version: "1.0" hide-identity: yes hide-version: yes harden-glue: yes do-not-query-address: 127.0.0.1/8 do-not-query-localhost: yes module-config: "iterator" local-zone: "localhost." static local-data: "localhost. 10800 IN NS localhost." local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" local-data: "localhost. 10800 IN A 127.0.0.1" local-zone: "127.in-addr.arpa." static local-data: "127.in-addr.arpa. 10800 IN NS localhost." local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800" local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost." local-zone: "xxxxx.net." static local-data: "xxxxx.net. 86400 IN NS ns1.xxxxx.net." local-data: "xxxxx.net. 86400 IN NS ns2.xxxxx.net." local-data: "xxxxx.net. 86400 IN SOA xxxxx.net. hostmaster.xxxxx.net.net. 3 3600 1200 604800 86400"

local-data: local-data: local-data: local-data: local-data: local-data: local-data:

"xxxxx.net. 86400 IN A 172.16.17.2" "www.xxxxx.net. 86400 IN A 172.16.17.2" "ns1.xxxxx.net. 86400 IN A 172.16.17.2" "ns1.xxxxx.net. 86400 IN A 172.16.17.20" "mail.x.x.x.net. 86400 IN A 192.168.70.1" "xxxxx.net. 86400 IN MX 10 mail.xxxxx.net." "xxxxx.net. 86400 IN TXT v=spf1 a mx ~all"

local-zone: "17.16.172.in-addr.arpa." static local-data: "17.16.172.in-addr.arpa. 10800 IN NS xxxxx.net." local-data: "17.16.172.in-addr.arpa. 10800 IN SOA xxxxx.net. hostmaster.xxxxx.net. 4 3600 1200 604800 864000" local-data: "2.17.16.172.in-addr.arpa. 10800 IN PTR xxxxx.net." local-data: "3.17.16.172.in-addr.arpa. 10800 IN PTR nms.xxxxx.net." local-data: "4.17.16.172.in-addr.arpa. 10800 IN PTR sadewa.xxxxx.net." forward-zone: name: "." forward-addr: 202.155.x.x forward-addr: 202.155.x.x remote-control: control-enable: yes control-interface: 127.0.0.1 control-port: 953 server-key-file: "/usr/local/etc/unbound/unbound_server.key" server-cert-file: "/usr/local/etc/unbound/unbound_server.pem" control-key-file: "/usr/local/etc/unbound/unbound_control.key" control-cert-file: "/usr/local/etc/unbound/unbound_control.pem"

server1# unbound-control stats thread0.num.queries=25 thread0.num.cachehits=0 thread0.num.cachemiss=25 thread0.num.recursivereplies=25 thread0.requestlist.avg=0.04 thread0.requestlist.max=1 thread0.requestlist.overwritten=0 thread0.requestlist.exceeded=0 thread0.requestlist.current.all=0 thread0.requestlist.current.user=0 thread0.recursion.time.avg=0.233503 thread0.recursion.time.median=0.0208524 thread1.num.queries=80 thread1.num.cachehits=5 thread1.num.cachemiss=75 thread1.num.recursivereplies=75 thread1.requestlist.avg=0.333333 thread1.requestlist.max=2 thread1.requestlist.overwritten=0 thread1.requestlist.exceeded=0 thread1.requestlist.current.all=0 thread1.requestlist.current.user=0 thread1.recursion.time.avg=0.087088

thread1.recursion.time.median=0.0320557 total.num.queries=105 total.num.cachehits=5 total.num.cachemiss=100 total.num.recursivereplies=100 total.requestlist.avg=0.26

OPTIMASI http://www.unbound.net/documentation..._optimise.html Misalnya dari server yang ada unboundnya, pakai perintah: tcpdump dst port 53 Lalu coba aktifkan natnya dan coba perhatikan, apakah ada request dari router yg melakukan nat? Pastikan juga tidak ada firewall yg menutup port 53 (UDP)

Quote: Originally Posted by mawan_30j named.cache nya kok gak bisa di download ya gan ?? wget ftp://ftp.internic.net/domain/named.cache apakah protokol ftp di blok ? jika di blok tidak akan bisa di download atau download disini wget http://www.internic.net/zones/named.root mv named.root named.cache coba dari ubuntungnya ; cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

utk tunning : Code:


modprobe ip_conntrack hashsize=131072

dan di /etc/sysctl.conf Code:


net.ipv4.ip_conntrack_max = 16777216

net.ipv4.netfilter.ip_conntrack_max = 16777216

trs sysctl p yup bener solusi utk menghindari contrack di mikrotik adalah dengan menggunakan mark route dan di dns boxnya baru bermain iptables/pf/ipfw utk memaksa trafik dns, contracknya mikrotik terbatas karena di build menggunakan busybox, kalau di distro bisa di naikkan lebih besar parameternya, tentunya menyesuaikan dengan besar memory, begitu juga dengan tranparent proxy utk user sebakul lebih efektif dengan mark route drpd dnat di mikrotik, dnatnya cukup di box proxy btw mungkin parameter ini bisa di tunning di mikrotik, defaultnya : Code:
/ip fi con tr > pr enabled: yes tcp-syn-sent-timeout: tcp-syn-received-timeout: tcp-established-timeout: tcp-fin-wait-timeout: tcp-close-wait-timeout: tcp-last-ack-timeout: tcp-time-wait-timeout: tcp-close-timeout: udp-timeout: udp-stream-timeout: icmp-timeout: generic-timeout: tcp-syncookie: max-entries: total-entries:

5s 5s 1d 10s 10s 10s 10s 10s 10s 3m 10s 10m no 32768 4688

Originally Posted by siber waktu menggunakan binb lumayan bengkak walau sudah di set max-cache-size 32Mb

sekarang cuma (72664K) lumayan IRIT MEM Mungkin perlu diset juga datasize(hard limit u/ daemon bind)nya Om? Pengalaman ane dulu sewaktu masih pakai bind u/ rekursif query, misalnya punya memory 1GB saya setnya begini Om: datasize 512M; max-cache-size 768M;

Full Unbound di ubuntu server /etc/network/interfaces Code:


iface eth0 inet static address 172.17.20.10 netmask 255.255.255.0 network 172.17.20.0 broadcast 172.17.20.255 gateway 172.17.20.1 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 127.0.0.1

/etc/resolv.conf Code:
nameserver 127.0.0.1

Forwarder unbound mengunakan dns nawala (porno2 masih bisa disikat) Code:
forward-zone: name: "." forward-addr: 180.131.144.144 forward-addr: 180.131.145.145

Mikrotik dns setting IP server unbound =172.17.20.10 Code:


/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10240KiB max-udppacket-size=512 servers=172.17.20.10 /ip dns static add address=172.17.20.10 comment="" disabled=no name=unbound ttl=1d

Set dhcp u/ menggunakan unbound Code:


/ip dhcp-server network add address=10.5.50.0/24 comment="hotspot network" dns-server=172.17.20.10 gateway=10.5.50.1 netmask=8

Paksa seluruh dns request ke unbound Code:


/ip fi nat add action=dst-nat chain=dstnat comment="" disabled=no PROXY dst-port=53 protocol=udp \ src-address-list=HOTSPOT to-addresses=172.17.20.10 add action=dst-nat chain=dstnat comment="" disabled=no PROXY dst-port=53 protocol=tcp \ src-address-list=HOTSPOT to-addresses=172.17.20.10 dst-address-list=!IPto-ports=53 dst-address-list=!IPto-ports=53

Mohon petunjuk dari suhu unbound, apa sudah betul setingan diatas untuk memaximalkan unbound server ane ? Unbound ane juara 3 dunia Code:
/ Final benchmark results, sorted by nameserver performance: (average cached name retrieval speed, fastest to slowest) 216. 67.192. 3 | Min | Avg | Max |Std.Dev|Reliab%| ----------------+-------+-------+-------+-------+-------+ - Cached Name | 0.002 | 0.006 | 0.010 | 0.002 | 98.0 | - Uncached Name | 0.080 | 0.242 | 0.355 | 0.089 | 100.0 | - DotCom Lookup | 0.046 | 0.056 | 0.069 | 0.004 | 100.0 | ----------------+-------+-------+-------+-------+-------+ resolve01.kgmn.az.frontiernet.net Frontier Communications 68. 87. 64.154 | Min | Avg | Max |Std.Dev|Reliab%| ----------------+-------+-------+-------+-------+-------+ - Cached Name | 0.002 | 0.006 | 0.011 | 0.002 | 100.0 | - Uncached Name | 0.071 | 0.246 | 0.359 | 0.093 | 100.0 | - DotCom Lookup | 0.046 | 0.057 | 0.069 | 0.005 | 100.0 | ----------------+-------+-------+-------+-------+-------+ phil-dnssec-trial.inflow.pa.bo.comcast.net Comcast Cable 172. 17. 20. 10 | Min | Avg | Max |Std.Dev|Reliab%| ----------------+-------+-------+-------+-------+-------+ + Cached Name | 0.002 | 0.006 | 0.010 | 0.002 | 100.0 | + Uncached Name | 0.079 | 0.275 | 0.684 | 0.135 | 98.0 | + DotCom Lookup | 0.046 | 0.056 | 0.078 | 0.007 | 100.0 | ----------------+-------+-------+-------+-------+-------+ unbound Local Network Nameserver

hehe unbound di design bukan untuk full-featured "authoritative" DNS server tapi full featured "recursive" DNS server. kalau utk authrorive dns public saya prever djbdnscache sebagai front-end dan recursive ke intranet sebagai back-end dengan unbound, bisa dalam 1 server dedicated dns + xen tapi sekedar CNAME langsung saja Code:
local-zone: "example.com." static local-data: "example.com. 86400 IN NS ns1.hostingcompany.com." local-data: "example.com. 86400 IN NS ns2.hostingcompany.com." local-data: "example.com. 86400 IN SOA ns1.hostingcompany.com. hostmaster.hostingcompany.com. 2010082201 28800 7200 604800 86400" local-data: "example.com. 86400 IN A 1.2.3.4" local-data: "www.example.com. 86400 IN CNAME example.com." local-data: "mail.example.com. 86400 IN A 1.2.3.4" local-data: "example.com. 86400 IN MX 10 mail.example.com." local-data: "example.com. 86400 IN TXT v=spf1 a mx ~all"

utk cek : dig www.example.com CNAME

om siber, klo mo install di centos gimana??? juga g ada yum -y install unbound reponya update ke dag/rpmforge/epel

udah googling belum ketemu2... nyoba di grep

hxxp://fedora.mirror.facebook.net/epel/5/i386/unbound-1.4.4-1.el5.i386.rpm hxxp://fedora.mirror.facebook.net/epel/5/i386/unbound-devel-1.4.4-1.el5.i386.rpm hxxp://fedora.mirror.facebook.net/epel/5/i386/unbound-libs-1.4.4-1.el5.i386.rpm kalau mau update ke unbound-1.4.6 build saja dari src.rpm dan ganti unbound.spec versi & sourcenya ke unbound-1.4.6

clear dulu gan dns cache sebelumnya: jika menggunkana squid hrs di restart squidnya, jika menggunakan lusca cukup dengan : Code:
squidclient mgr:flushdns

trs di client windows xp juga harus di clear cache dnsnya Code:


ipconfig /flushdns

kenapa di saya begini ya gan Code:


root@myencinta:~# nslookup 192.168.200.100 Server: 192.168.155.2 Address: 192.168.155.2#53 ** server can't find 100.200.168.192.in-addr.arpa.: NXDOMAIN root@myencinta:~# nslookup myencinta.net Server: 192.168.155.2 Address: 192.168.155.2#53 Non-authoritative answer: Name: myencinta.net Address: 92.242.132.11

Name: myencinta.net Address: 92.242.132.11 di set di dns static nya mikrotik bro.... coba di /etc/resolv.conf di isi ini : Code:
nameserver 127.0.0.1

coba bantu gan.....file unbound_munin_sebelum di Code:


ln -s /usr/local/etc/unbound/unbound_munin_ /etc/munin/plugins/unbound_munin_hits

coba ganti Code:


[unbound*] user root env.statefile /etc/munin/plugins/unbound-state env.unbound_conf /etc/unbound/unbound.conf env.unbound_control /usr/sbin/unbound-control env.spoof_warn 1000 env.spoof_crit 100000

menjadi Code:
[unbound*] user root env.statefile /var/lib/munin/plugin-state/unbound-state env.unbound_conf /usr/local/etc/unbound/unbound.conf env.unbound_control /usr/local/sbin/unbound-control env.spoof_warn 1000 env.spoof_crit 100000

trus di bagian /etc/munin/plugin-conf.d/munin-node di tambahkan Code:


[unbound*] user root

atau bisa coba ke sini http://lost-and-found-narihiro.blogs...via-munin.html di koreksi bila salah bang.... masih belajar kalu ngga salah gini: di file /etc/resolv.conf, masukan ip 127.0.0.1 di squid.conf: Quote: dns_nameservers /etc/resolv.conf kalau salah tolong di benerin yah para master

sudah betul itu gan, tinggal client ganti dnsnya ke 192.168.3.2 dan jangan lupa, network yang terpasang unbound harus di masqurade/nat biar bisa akses keluar (wan/internet) good luck

Originally Posted by azzura2000 kalo dnsnya hotspot gimna ya?? soalnya kalo diset di mikrotik dengan dns unbound ga bisa browsing?

Hotspot : 192.168.99.1-254 Unbound : 192.168.33.1 Proxy : 192.168.254.12 Local :192.168.254.20-192.168.254.50 Unbound : PHP Code:
forward-zone: name: "." forward-addr: forward-addr: forward-addr: forward-addr: forward-addr: 125.160.2.34 180.131.144.144 180.131.145.145 202.134.1.10 222.124.204.34

DNS DHCP-Mikrotik PHP Code:


[admin@MikroTik] > /ip dhcp-server network print # ADDRESS GATEWAY DNS-SERVER SERVER DOMAIN 0 192.168.99.0/24 192.168.99.254 192.168.33.1 WINS-

Transparent DNS PHP Code:


[admin@MikroTik] > /ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic ====delete==== 1 ;;; HOTSPOT-DNS-DIRECT chain=dstnat action=dst-nat to-addresses=192.168.33.1 toports=53 protocol=udp src-address=192.168.99.0/24 in-interface=5-Hotspot dst-port=53 ;;; LOCAL-DNS-DIRECT chain=dstnat action=dst-nat to-addresses=192.168.33.1 toports=53 protocol=udp src-address=192.168.254.0/24 in-interface=2-LOCAL dst-port=53 2

root@fmi:~# unbound-control stats error: SSL handshake failed 1766:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:951:

ada yang bisa bantu gk? Kalau menurut saya coba yang ini diulangi lagi gan : Quote: cd /etc/unbound

wget ftp://FTP.INTERNIC.NET/domain/named.cache unbound-control-setup chown unbound:root unbound_* chmod 440 unbound_* Habis itu restart

You might also like